wladimir1804 - stock.adobe.com
Former Cabinet Office minister Francis Maude established the importance of digital identity to government policy in a speech in 2014.
“The more we spend our life online, the more important it becomes that someone signing in to use a service is who they say they are,” he said. “We need to allow people to prove their identity in an entirely digital way.”
Unfortunately, Maude’s prediction to “allow government – and eventually private sector services too – to trust that a user is who they say they are” has not yet come to fruition. So what needs to happen to make digital identity work in the UK?
While there is no silver bullet, focusing on certain key goals is paramount. To sustain our ever-more connected and digital society, we must facilitate trusted relationships between organisations, governments and individuals. The way to establishing and maintaining these relationships is to create ecosystems of ubiquitous, reusable, standards-based digital identity that can interact seamlessly across schemes, sectors and borders.
To encourage the reuse of a digital identity, the critical first step involves striking the right balance in the initial creation of a digital identity, based on the appropriate level of trust and friction for a first-time interaction.
Digital services must be designed with the appropriate initial levels of trust, subsequently increasing levels of trust when required. It is a mistake to start with the maximum level of trust, which may be too high for the service. Instead, enhance trust as and when required. Digital identity standards allow services to map their increasing identity trust requirements effectively.
Digital identity should be used at the point of need, with appropriate controls where absolutely necessary to complete the task. There is evidence that motivated users achieve high levels of success in verifying their identity in the right circumstances.
Value of standards-based digital identities
The UK identity standards, built in response to real-world threats and risks, are world-leading, support the European Union’s eIDAS equivalence, and are closely aligned to the US NIST 800-63-A standard. Adopting recognised standards facilitates trust and mitigates business risks, leading to less friction and greater compliance.
Ensuring that solutions to establish digital identities are assured against standards means the methods and data used in the identity proofing of individuals can be trusted. This allows service providers to be sure they are consuming equivalent identities from a growing marketplace and providing confidence for users that services are safe and secure.
We need to encourage organisations to work with, rather than against, recognised standards, because disruptive non-standards-based identity solutions are counterproductive in a regulated, risk-based environment.
In the long term, organisations will come to realise that alignment with recognised standards can help facilitate interoperability with other schemes, sectors and countries; creates a level playing field; allows more informed purchasing decisions as solutions can be compared more easily; and establishes the potential for a bigger marketplace while deterring “big fish” monopolies or cartels in a small pond.
This has been witnessed throughout the evolution of trust federations, such as financial payments networks and standards from global organisations including ISO, IETF and others.
How to get the most out of standards
Prescribing rigid levels of assurance (LOA) has hindered the uptake of digital identity, as risk-averse service providers have often opted for the highest possible LOA, which often introduces unnecessary friction for the user.
What has become apparent is that we should not be focused solely on LOA-based digital identities, but should include more granular components or elements – for instance, grading an individual piece of evidence based on its issuance and security features, together with its associated validation or verification methods, against standards.
We must work with regulators to ensure their regulations refer to this componentised view or more granular levels, rather than prescriptive statements such as “check a passport or driving licence”. More defined LOAs then only become important on the boundaries of a federation or scheme when equivalence is required, to move between them.
Learn lessons from Verify, good and bad
The UK government’s successful development of common standards and assurance processes helped to define and build a working federation of private-sector identity providers, delivering a greater number of assured digital identities than Estonia, which is often held up as an example of a government-backed ID scheme.
However, it is worth remembering that the Gov.uk Verify programme is just an implementation of a scheme based on standards. The private sector needs to take the successful elements of this trust ecosystem and lessons learned, and adapt them for more broader use everywhere, starting in the private sector.
To facilitate this, the UK government will need to make policy changes and government attributes available to enable validation of government-issued evidence documents. It is technically possible to create assured identities without the validation of passports or driving licences, but this substantially narrows user choice and restricts the demographic reach, which ultimately creates usability issues.
This must be a collaborative activity and not solely the government’s responsibility. The private sector needs to specify clear requirements considering commercial, operation and technical challenges. This is especially pertinent today with the uncertainty of budgets given the distraction of Brexit.
Challenge current implementations, frameworks and models
Verify operates through a central hub, but is this the right implementation model? We can’t assume that a hub, with a choice of providers, is the right model for the private sector, because the need for multiplicity goes against the commercial reality.
Service providers or the consumers of identity need to create the greatest opportunity for success and the least friction for their customers. So consumers of identity will procure the most suitable provider in a commercial context to meet their specific needs, rather than letting a user choose an identity provider, which may or may not be suitable.
To make digital identity work in the UK, we must facilitate a marketplace of assured, standards-based identities to allow users to authenticate using their existing identities across schemes, sectors and borders.
Private sector must take the lead
No one organisation or group can solve these challenges – strong collaboration and coordination between the private and public sectors is needed to succeed. But the private sector needs to take the initiative, be clear about what it wants from government, and support and build on the work government has successfully delivered.
Key steps to digital identity
- Adopt identity standards – enable assured, mutual trust between individuals, organisations and government.
- Ensure equivalence – facilitate interoperability across sectors and borders.
- Enable ubiquitous digital identities – assured once against standards and used often, anywhere.
- Grant access to trusted government attributes – create greater citizen choice across a wider demographic when assuring digital identities.
- Develop identity solutions assured against standards – buyers need to be able assess the quality of what they are buying.
- Make frameworks extensible – allow opportunities for new entrants which prevents big fish in small ponds.